1. Home
  2. Detection Strategies
  3. Detection Strategy for Impair Defenses via Impair Command History Logging across OS platforms.

Detection Strategy for Impair Defenses via Impair Command History Logging across OS platforms.

Technique Detected:  Impair Command History Logging | T1562.003

ID: DET0563
Domains: Enterprise
Analytics: AN1555, AN1556, AN1557, AN1558, AN1559
Version: 1.0
Created: 21 October 2025
Last Modified: 21 October 2025
Version Permalink

Analytics

AN1555

Detection of environment variable tampering (HISTFILE, HISTCONTROL, HISTFILESIZE) and absence of expected bash history writes. Correlation of unset or zeroed history variables with active shell sessions is indicative of adversarial evasion.

Log Sources
Data Component Name Channel
Command Execution (DC0064) auditd:SYSCALL execve calls modifying HISTFILE or HISTCONTROL via unset/export
Process Creation (DC0032) linux:osquery processes modifying environment variables related to history logging
Mutable Elements
Field Description
MonitoredUsers Specific accounts or groups where history logging must always be enforced.
TimeWindow Correlation period to detect unset/export of history variables during active shells.

AN1556

Detection of bash/zsh history suppression via HISTFILE/HISTCONTROL manipulation and absence of ~/.bash_history updates. Observing environment variable changes tied to terminal processes is a strong indicator.

Log Sources
Data Component Name Channel
Command Execution (DC0064) macos:unifiedlog Set or unset HIST* variables in shell environment
Mutable Elements
Field Description
ShellProfiles Different shells (bash, zsh, fish) may require customized monitoring for history tampering.

AN1557

Detection of PowerShell history suppression using Set-PSReadLineOption with SaveNothing or altered HistorySavePath. Correlating these options with PowerShell usage highlights adversarial evasion attempts.

Log Sources
Data Component Name Channel
Command Execution (DC0064) WinEventLog:PowerShell EventCode=4103
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Mutable Elements
Field Description
AllowedPaths List of acceptable PowerShell history save paths for baseline comparison.

AN1558

Detection of unset HISTFILE or modified history variables in ESXi shell sessions. Correlation of suspicious shell sessions with no recorded commands despite active usage.

Log Sources
Data Component Name Channel
Command Execution (DC0064) esxi:shell unset HISTFILE or HISTFILESIZE modifications
Mutable Elements
Field Description
AdminSessions Differentiate root/admin shell sessions from adversarial misuse of ESXi shell.

AN1559

Detection of CLI commands that disable history logging such as 'no logging'. Anomalous lack of new commands in session logs while activity persists is a strong signal.

Log Sources
Data Component Name Channel
Command Execution (DC0064) networkdevice:cli Commands like 'no logging' or equivalents that disable session history
Mutable Elements
Field Description
DeviceVendors Command syntax differs across Cisco, Juniper, Fortinet, etc., requiring vendor-aware tuning.